Tag Archives: Experian

The Next Step in Underwriting

When a person applies for a mortgage in the U.S., credit reports are pulled from all three bureaus — Equifax, Experian and TransUnion. Why? Because a single bureau does not provide the whole story. When you’re lending hundreds of thousands or millions of dollars it makes sense to find out as much as you can about the people borrowing the money. The lender wants the whole story.

When you’re underwriting the property, doesn’t it make sense to get more than one perspective on its risk exposure? Everyone in the natural hazard risk exposure business collects different data, models that data differently, projects that data in different ways and scores the information uniquely. While most companies start with similar base data, how it gets treated from there varies greatly.

When it comes to hazard data there are also three primary providers, HazardHub, CoreLogic and Verisk. Each company has its team of hazard scientists and its own way of providing an answer to whatever risk underwriting and actuarial could be concerned with. While there are similarities in the answers provided, there are also enough differences — usually in properties with questionable risk exposure — that it makes sense to mitigate your risk by looking at multiple answers. Like the credit bureaus, each company provides a good picture of risk exposure, but, when you combine the data, you get as complete a picture as possible.

See also: Next Generation of Underwriting Is Here  

Looking at risk data is becoming more commonplace for insurers. However, if you are looking at a single source of data, it is much more difficult to use hazard risk data to limit your risk and provide competitive advantage. Advances in technology (including HazardHub’s incredibly robust APIs) make it easier than ever to incorporate multi-sourced hazard data into your manual and automated underwriting processes.

As an insurer, your risk is enormous. Using hazard data — especially multi-sourced hazard data — provides you with a significantly more robust risk picture than a single source.

At HazardHub, we believe in the power of hazard information and the benefits of multi-sourcing. Through the end of July, we’ll append our hazard data onto a file of your choice absolutely free, to let you see for yourself the value of adding HazardHub data to your underwriting efforts.

For more information, please contact us.

Be on the Lookout for Tax Scams

Las fall, authorities in India busted nine — yes, nine — bogus IRS call centers, arresting 70 people on suspicion of tricking (and often scaring) Americans into sending money to settle “pressing” but nonexistent tax bills.

You receive a call from a purported IRS agent claiming you owe money and must pay it immediately. If you can’t (or don’t) come up with the money pronto, well, you can expect a police officer or U.S. marshal at your door, and you will be arrested and thrown in jail. In a 21st-century version of this scheme, you receive a robocall where an automated voice directs you to call a specific number to settle your debts with Uncle Sam. If you don’t call back right away, you could be anything from sued to arrested to deported, or maybe you’ll just have your driver’s license revoked.

It’s an inelegant ruse, of course. The prize? Your hard-earned cash and, for good measure, some of your personally identifiable information (PII).

See also: Implications for Insurance Taxation?  

I probably don’t have to explain this hot-and-heavy approach because you’ve probably been on the receiving end of one of these phone calls. IRS scams are so prevalent they topped the Better Business Bureau’s top scams of 2015 by a mile — and that was well before the IRS itself issued a warning to taxpayers saying there was a “summer surge” last year in IRS impersonation scams, with a new variant asking poor, unsuspecting taxpayers to fork over payment on iTunes gift cards.

A sigh of relief?

If you think the major bust in India means you can breathe a little easier every time your phone rings, unfortunately, you’re wrong.

Make no mistake, those nine phony call centers represent only a small fraction of all the nefarious enterprises out there. Consider the latest stats from the U.S. Treasury Inspector General for Tax Administration published in The Wall Street Journal: 8,000 victims have paid more than $47 million because of these completely phony “IRS agents.”

Scams are akin to the old whack-a-mole game or, to put an even finer point on it, a Lernaean hydra — cut one of them down, and two more will spring forth. In fact, around the same time police were raiding the bogus call centers, reports had surfaced that there was a new IRS scam in town: Fraudsters have started to send out notices about fake IRS tax bills related to the Affordable Care Act via email and traditional snail mail in an effort to meet their, ahem, sales goals.

What you can do

You should stay vigilant because it’s about to get significantly more difficult to avoid getting got. The IRS announced it’s going to begin using private collection firms to handle overdue federal tax debt, a change that could effectively throw the one-step method of avoiding phony IRS agents — hang up the phone! — out the window.

The IRS has yet to make it completely clear whether it’s going to allow the collection firms it’s hired to call debtors directly. But even with this significant change, there will be a few dead giveaways that there’s a scammer on the other end of the line.

  1. If you do owe Uncle Sam, you’ll have received a bill in the mail, and should you be one of the more unfortunate ones turned over to a legitimate collector, you’ll also get written notice that your debt has been transferred over to one of its collection firms: CBE Group, Conserve, Performant and Pioneer.
  2. You’ll be allowed to make your payments online at IRS.gov/PayYourTaxBill, so, if you’re not being told about this option, hang up and notify the IRS.
  3. Payments by check should be made to the “U.S. Treasury.” If you’re being asked to write one made payable to the collector or even the IRS (which can easily be altered to read “MRS.”), hang up the phone.
  4. There will never be any threat involving police or marshals or prison.

Other ways to protect yourself

Here is the toll-free number for the IRS: 800-829-1040. If you get even the slightest inkling that someone is trying to swindle you, hang up and immediately call the agency.

See also: New Worry on ID Theft: Tax Fraud  

If you get an email that looks like it is coming from the IRS about a tax bill, do not click on any links (which could be malware designed to infect and infiltrate your computer system and steal any payment or personal information it can get its hands on). Instead, forward the email to phishing@irs.gov and wait patiently for someone to contact you about its validity.

What to do if you’re a victim

If you think you’ve already been had, well, then you’ve got some work to do. Report the crime to your local police, file a complaint with the Federal Trade Commission and call the IRS at the number provided above to find out if you really owe them money. Contact TIGTA to report the call either at 800-366-4484 or by using its IRS Impersonation Scam Reporting website. And then rely heavily on the three Ms I outline in my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves:

  1. Minimize your exposure to fraud: If you did turn over your most sensitive personal information, request that a fraud alert be put on your credit file by all three credit bureaus — Equifax, Experian and TransUnion. You need only contact one, and it will electronically notify the other two. You might also consider a credit freeze, which is more comprehensive but cumbersome because you need to notify each credit bureau individually; lockdown of your credit report prevents thieves from opening new accounts in your name.
  2. Monitor your accounts. You might wish to purchase a combination credit and fraud monitoring service, which provides instant alerts if someone tries to open up lines of credit. You also may consider enrolling in transactional monitoring programs offered for free by banks, credit unions and credit card companies that notify you of any activity in your accounts. At the very least, keep an eye on your credit yourself. You can do this by pulling your credit reports for free each year at AnnualCreditReport.com and viewing two of your credit scores for free, updated every two weeks on Credit.com.
  3. Manage the damage. Close any account that has been tampered with or opened by a fraudster without your permission. And if you gave them the veritable skeleton key to your finances — your Social Security number — be sure to notify the IRS, do all of the above and file your taxes as early as possible next year to preclude anyone from getting their grubby little fingers on your refund.

Remember, it’s not just the phony taxman you have to worry about whenever you pick up the phone. Fraudsters come in all shapes and sizes, and, no matter how many scam centers authorities put out of business, the ultimate guardian of the consumer is the consumer (i.e., you)! Stay vigilant. While identity theft may be the third certainty in life, with a little luck you can make it that much harder for fraudsters to get you in their maw.

This post originally appeared on ThirdCertainty.

Full disclosure: IDT911 sponsors ThirdCertainty. This story originated as an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on identity theft:
Identity Theft: What You Need to Know
3 Dumb Things You Can Do With Email
How Can You Tell If Your Identity Has Been Stolen?

Dark Web and Other Scary Cyber Trends

We have all heard the continued drum beat regarding hacking. Anthem, Sony, Target, Home Depot, Experian and various government and military branches have all been hacked and have received their fair share of negative press. In each case, people were harmed, leaders were fired, brands were damaged and no one was really surprised.

I am not a singularly focused cybersecurity expert, but I have been up to my neck in tech for 30 years and have a knack for seeing emerging patterns and macro trends and stitching those together to synthesize consequences and outcomes. In the case of the Dark Web, none of that is good news; The emerging patterns should worry us all. As English historian (1608-1661) Thomas Fuller wrote, “Security is the mother of danger and the grandmother of destruction.”

See also: Best Practices in Cyber Security

Below is my list of the “Top 10 Scary Macro Cyberthreat Trends” –and this is still early days for them.

1. The Dark Web Pareto 

Over the last decade, the hacker population has gone from 80% aficionados/hacktivists/deep-end-of-the-pool techies and 20% professional criminals to 80% professional criminals and 20% “other.” To be clear, by “professional criminal” I mean organized criminals who are there for the money, not just to someone who broke the law.

2. “Lego-ization” of the Dark Web

Over the last few years, technology in the Dark Web has been changed from intricate, end-to-end hacks to a place where one merely assembles “legos” that are commercially available (albeit inside an anonymized criminal environment.) People don’t just buy tool kits with instructions but also the ability to buy “lego-ized” services like illicit call center agent time for more complex criminal activities such as getting access to someone’s bank account. Parts of the Dark Web look like IKEA without the assembly difficulty or the inevitable leftover parts.

3. The Dark Web embraces the capital-lite approach

Of course, the Dark Web has embraced the cloud-computing model for the reasons we see in the enterprise world. What this means to the criminal hacker or, more likely, hacker organization, is that they can now go asset-free and rent the assets they need when they need them.

For example, there are services for running a few hundred million password permutations in less than an hour for a few hundred dollars. Hackers no longer need to infect a massive amount of computers to fire up a denial-of-service hack; they can simply rent time on a botnet, a massive amount of “hijacked” computers up for sale in the Dark Web. Most companies still do not have a botwall to deflect bots.

Gameover ZeuS is a massive example of a botnet with one variant able to generate 10,000 domains a day with more than three million zombie computers — just in the U.S. Botnets are sometimes referred to as “zombie armies” (surely there’s a TV series in there somewhere.) The Bredolab botnet may have had as many as 30 million zombie computers.

See also: Demystifying “The Dark Web”

4. Clandestine versus brazen 

The bragging rights for revealing a hacking “accomplishment” was once a hallmark of this space. Over the past decade or so, that factor has greatly diminished. The criminal enterprise would like nothing more than to go unnoticed. The recent massive Experian hack only came to light after the Secret Service let Experian know some of its stuff had been found for sale in the Dark Web. Focusing on avoiding detection by adopting smarter methods, targets, distribution models and revenue capture is better business and is in line with a longer, sustainable view of profit. None of the criminal organizations have boards of directors that pressure them to hit the quarterly sales and operating income figures. A hack is not a moment in time; if a hacker can go undetected, he or she can milk the hack for years. This is worrisome.

5. The total available market has grown and is target-rich 

The target space for crime connected to an IP node has grown tremendously, and so has the value of the content. The massive increase in mobile IP addresses, the online transactions we do and IP-related things like stored value cards or mileage points makes a rich target for crime. It is 100x bigger than what it was just 10 to 15 years ago.

The target space’s growth is accelerating. After banking regulations on the minimum size of banks were relaxed in 1900, 2,000 banks were added in two years along with growth in the relatively new credit union sector. This increase in “target space” spawned bank robbers. The target space for Dark Web crime loves the increase in the target area and doesn’t mind that the “banks” are smaller. The number of people using the Web and the average amount of time spent on the Web continues to increase. I think with the advent of things like the Internet of Things, 5G, Li-Fi and a quantum leap in cloud computing capacity per unit cost, this increase will accelerate.

6. Small many versus big few 

Over the past decade, the trend in conjunction with the above items moved toward smaller “heists” but a lot more of them. Someone in Venezuela took $2 a month off my credit card for 18 months before it stopped. How many people would miss a dollar or two off a stored value card/account that has an auto-refill function like my Skype account does?

What sort of statistical controls would you put on your revenue flows (as a business) to even recognize that leakage? Of course, there are still big hacks going on, but a lot of those are just the front end of a B2B transaction that then sells off that big pool of hacked data to buyers in the criminal bazaar. Small, often and dispersed is harder to catch and more clandestine by nature.

7. Automation of the Dark Web

Timing is everything. As the Dark Web evolved into a scale-based, organized criminal environment, it leveraged modern automation from provisioning to tool sets to communications and even to billing.

Blackshades creepware is a great example of automation extending into the consumer product end. Available for $50, it has a point-and-click interface and has internalized all of the complexity and has automated hacking even for actors with very low-level tech skills. It allows the bad actor to browse files, steal data/passwords and use the camera (often relating to extortion). Blackshades infected more than 500,000 computers in more than 100 nations. A lot of the people who bought this did not have the skills to do any hacking without this kind of automation.

8. Tech getting better, faster, cheaper while talent improves

Late last year, TalkTalk, an ISP quad-play provider in the U.K., got hacked and held for ransom by four teenagers. The company estimates $90 million of cost tied to this hack, and no one really knows what the cost of the brand damage has been. There’s also a third of the company’s market cap gone, and it lost 95,000 customers. In all fairness, TalkTalk’s security was poor. The point here is that the technology in the Dark Web is getting faster, better and cheaper. At the same time, the average talent level is rising, which may not be the case in the non-criminal tech world.

There are three factors at play:

  1. Communities of collaboration and learning are becoming commonplace. Blackshades is a great example of a malicious tool with a super-low point of entry (price and tech skills) backed up by great online help and a community site.
  2. The likes of the Metropolitan Police Cyber Unit (London), the FBI, Interpol, etc. are all very effective and are continually improving organizations that stop crime and lock up cyber criminals. In some ways, this is a culling of the herd that also serves to create a positive Darwinian push on the average talent in the Dark Web.
  3. The giant upside financial opportunity to using tech skills for nefarious purposes creates a big gravitational pull that is only enhanced by recent economic and national turmoil, especially in places like Eastern Europe, Russia and Ukraine. In addition to that, state-sponsored or affiliated hackers with military-like rigor in their training can often make money moonlighting in the criminal world.

The combination of forces raising the talent level and the continued improvement of technology make for a bad combo. The Dark Web is also embracing open sourcing. Peer-to-peer bitcoin-based plays may become the next dark commerce platform.

9. The Dark Web itself

The Dark Web has evolved over the past decade or so from a foggy, barely penetrable space to a labyrinth of loosely connected actors and now to a massive, modernized bazaar thriving with commercial activity with a huge neon sign on the front door saying “Open for Business.” It is not just a bazaar, it is a huge B2B marketplace where the best criminals can resell their wares whole or in “lego-ized” pieces. Some of these criminals even offer testimonials and performance guarantees!

The Dark Web has moved from what economists call “perfect competition” to a more imperfect model trending toward oligopoly. In simpler terms, it is not a sea of malevolent individuals but, rather, the domain of organized businesses that happen to be largely illegal. These are organizations of scale that must be run like a business. This new structure will evolve, adapt and grow so much faster than the prior structure because these organizations have mission-focus and cash-flow pressures. Of course, the market forces common in a bazaar will winnow out low-value and defective products quickly, simply because word travels fast and customers vote with their wallets. 

10. The truly ugly “What’s next?” section

Like many thriving businesses, there is a tendency to move into adjacencies and nearby markets. This has already happened.

There is a lot of money in fiddling with clickstreams and online advertising flows. Bots account for about 50% of the traffic on the Internet; of those, about 60% are bad bots.

There is money to be made in transportation. One can buy fake waybills on the Dark Web to ship a crate to, say, Kiev at a fraction of the price FedEx or UPS would charge, even though the package will travel through FedEx or UPS.

Here are four emerging and even more worrisome areas that could be leveraged (in a bad way) by sophisticated, tech-savvy commercial criminal enterprises that are alive and thriving today in the Dark Web.

  • Internet of Things – It is just the beginning for the IoT. If you click here, you can read a paper on what may drive the amazing growth and where the potential is. The available talent who know how to secure devices, sensors and tags from hacks and stop those hacks from jumping five hops up a network are few and far between, and they don’t normally work in the consumer and industrial spaces that make stuff and that have decided to make an IP-enabled model. Few boards in the Fortune 500 can have an intelligent conversation about cybersecurity at any level of detail that matters. In short, over the next few years, IoT may be a giant hunting ground. For instance, what if a hacker goes through the air conditioning control system to point-of-sale devices and steals credit card info? That is a target with a big bull’s eye on it. (That is what happened to Target.)
  • Robotics – This is a little further out, and the criminal cash flow is a little harder to predict, but IP-connected robots is a space that will grow exponentially over the next decade and be at key points in manufacturing, military and medical process flows. What is the ransom for holding a bottling plant hostage? The Samsung SGR -1 (no, not a new phone) is a thermal imaging, video-sensing robot with a highly accurate laser targeting gun that can kill someone from 3,000 yards out. The Oerlikon GDF005 is a less-sophisticated antiaircraft “gunbot” that is, in part, designed to be turned on and left to shoot down drones. These things are both hackable. 
  • Biochem – What if some of the above Dark Web trends extend into this area, renting assets and expertise, point-and-click front-end designs? The bad news is that this seems to have started. 
  • The over-the-horizon worries – Nanotech, Li-Fi, AI, synthetic biology, brain computer interface (BCI) and genomics are all areas that, at some point in their evolution, will draw a critical mass of criminal Dark Web interest. The advances in these areas are at an astounding pace. They are parts of the near future, not the distant future. If you have not looked at CRISPR, google it. Things like CRISPR, coupled with progressively better economics, are going to supercharge this space. Li-Fi, coupled with 5G and the IoT (including accelerated growth in soft sensors), will create a large target space. The Open BCI maker community is growing quickly and holds enormous promise. Take a look at the Open BCI online shop and see what you could put together for $2,000 or  $10,000. The Ultracortex Mark IV is mind-blowing (not literally) and only $299.

All of this is going to get worse before it gets better. This is clearly not a fair fight. This is a target-rich environment that is growing faster than almost anyone anticipated. The bad actors are progressively getting better organized, smarter and better built for “success.” Interpol, the FBI and other law enforcement agencies do great work, but a lot of it is after-the-fact.

Enterprises need new approaches to network-centric compartmentalized security. New thinking about upstream behavioral preventative design is needed for robustly secure IoT plays.

National organizations in law enforcement and intelligence need to think through fighting a borderless, adaptive, well-funded, loosely coupled, highly motivated force like those under the Dark Web umbrella. Those national organizations probably need to play as much offense as defense. Multiple siloed police and intelligence units that are bounded geographically, organizationally, financially and culturally probably will start out with a disadvantage.

This article was originally published on SandHill.com. The story can be found here.

Why Credit Monitoring Doesn’t Work

Chances are you have received a letter stating that your personal data may have been compromised. Perhaps you were one of the 80 million people with an Anthem health insurance plan. Maybe you were one of the 21 million current or former employees of the federal government, or you could have been one of the 40 million who shopped at Target. There are countless examples where organizations failed to protect sensitive data and then were required to notify the affected individuals.

These notifications typically reveal how the breach happened, what steps are being taken to prevent another incident and what a company is doing to protect you from identity theft. Most organizations offer some form of credit monitoring and ID theft remediation services. Some states are beginning to mandate at least one year of credit monitoring under certain circumstances.

The Limits of Credit Monitoring

Offering credit monitoring seems to be a necessary post-breach strategy, and the very least a company would do. However, a deeper dive into what it does – and what it does not do – is long overdue.

Credit monitoring immediately notifies an individual that an attempt was made to obtain some form of credit in her name. Credit restoration services are usually offered when identity theft occurs. This is a valuable service that restores a victim’s good credit, saves time and alleviates stress.

Credit monitoring does not prevent identity theft. The only way to prevent an identity thief from accessing a victim’s credit is to either place a 90-day fraud alert on a credit file or freeze credit lines.

  • Fraud alerts require potential creditors to contact individuals before opening lines of credit. To activate a fraud alert, individuals are required to notify one of the three bureaus (Equifax, Experian or Trans Union) and to repeat the process every 90 days to maintain the fraud alert status.
  • ƒFreezing credit can be accomplished by contacting all three credit bureaus and requires each one to place a freeze on an individual’s credit file. Each bureau provides a PIN # that can be used to lift the freeze later. There may be a nominal fee based on state of residence, which typically ranges from $5 to $15. Some states may require an additional fee to lift the freeze. A credit freeze may cost less than credit monitoring and identity theft restoration services. In fact, it has been widely reported that the Office of Personnel Management spent $133 million for three years’ credit monitoring for the 21 million individuals affected by their 2015 data breach.

Legal Ramifications of Offering Credit Monitoring

Offering credit monitoring can cost an organization even more than the dollars spent. In Remijas v. Neiman Marcus, the plaintiffs alleged that 350,000 payment cards were affected when hackers gained access to Neiman Marcus networks. Even though a small fraction of the cards were affected by fraudulent activity, the Seventh Circuit Court of Appeals granted the plaintiffs legal standing, allowing the class action to proceed, because card holders had a legitimate fear of future identity theft. Because Neiman Marcus offered credit monitoring to the card holders after the breach, the court concluded that it was conceding that future identity theft was entirely possible.

The state regulatory environment, coupled with recent appellate
court decisions, leaves organizations in a difficult position. States
are beginning to require credit monitoring following a data breach. Organizations that do not offer credit monitoring face scrutiny by attorneys general, potential fines for non-compliance and a public relations fiasco. Yet those that offer credit monitoring will incur significant costs and, as evidenced in Remijas v. Neiman Marcus, may actually hurt their defense in a class action lawsuit.

A Better Way to Protect Your Identity

A more rational approach is needed to identity protection. Organizations and state regulators reacting to data breaches involving sensitive data elements need to address ways to prevent identity theft. As of this writing, organizations cannot legally freeze a consumer’s credit for him, and have little means to prevent identity theft on his behalf. However, with the full support of state officials, a more efficient process to freeze credit can better protect identities and mitigate costs.

Was Your Data Taken in Experian Breach?

A breach to one of Experian‘s servers – discovered on Sept. 15 – has resulted in 15 million compromised records with personal information like names and Social Security numbers. The breach included information about T-Mobile customers from as far back as 2013. Here are the details and action steps you can take if you think you’re a victim.

The server that was attacked housed records of those who applied for T-Mobile’s services between Sept. 1, 2013, and Sept. 16, 2015. Overall, the compromised information included…

  • Names
  • Addresses
  • Dates of birth
  • Driver’s license numbers
  • Social Security numbers
  • Passport IDs

The affected server was not part of Experian’s consumer credit bureau; nevertheless, a data breach is good reason to check your defenses when it comes protecting your personal information, and there are plenty of ways you can protect yourself.

Make sure hackers didn’t steal your information and use it for their advantage. Annually check your credit reports and bank statements for suspicious activity, like a new line of credit or purchases you didn’t make.

Be cautious! When a breach like this occurs, fraudsters may call the victims and say they’re from the affected companies. They may ask you for your personal information, so they can “help” you. Keep in mind that T-Mobile and Experian made it clear that they will not send a message or call and ask for personal information connected with the incident.

Consider some of the major data breaches we’ve had in the past couple years:

  • JP Morgan Chase – 76 million customer records
  • Anthem – 87.6 million
  • Home Depot – 56 million
  • Target – 110 million

Whether or not you think you’re a victim, employing an identity theft protection plan is relevant and important.

Ironically, T-Mobile is offering resolution services through Experian’s ProtectMyID, for those who were affected by the data breach; however, full, continuing coverage demands an identity protection service that has more robust features than those provided through the complimentary membership.

ProtectMyID’s complimentary membership includes SSN and credit-card monitoring, but you also need monitoring for high-risk transactions and data sweeps. ProtectMyID includes credit monitoring and an Experian credit report upon entry, but you also need your credit score and identity risk score (showing how vulnerable you are to identity theft). ProtectMyID has lost wallet/purse assistance and alerts for suspicious activity, which is good. It is backed by $1 million identity theft insurance coverage, too, but you also need coverage that will reimburse you for the expenses you incur while returning your life to normal. ProtectMyID has fraud resolution agents who can offer assistance to victims, but you also need a financial consultation, a legal consultation and more.

You need stronger layers of protection against identity theft, help creating an action plan and professional assistance with addressing compromised information and accounts.

The Experian data breach is a big reminder of how a robust identity theft protection plan is absolutely necessary.